MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6
SHA3-384 hash: a13fed6e5baabef9e4ef69335bd464d31e1646ce483c36637bfe92bfe83e9be8602f64c21c119a32d35d5b2034e5c790
SHA1 hash: 8f1a751391adaf66818a2fecb088358687914de2
MD5 hash: 0b30d3b31544e8ffa779c845761c58a2
humanhash: paris-mexico-carbon-enemy
File name:PO#303229.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:979'456 bytes
First seen:2023-10-26 12:16:20 UTC
Last seen:2023-10-26 12:57:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:9tn03CXBumFgGoiV1xsdPqzausz+IUTWoaDmc9pzfIxquP7r9r/+pppppppppppP:9tnmWDCGoiVcJqzuZoqfffIcu1q
Threatray 830 similar samples on MalwareBazaar
TLSH T1C2258C44E5D95948F83A9770C339CF3443B67EEA953AE11C3DCA3D973A7B6C24A12212
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
PO#303229.exe
Verdict:
Malicious activity
Analysis date:
2023-10-26 12:31:52 UTC
Tags:
stealer agenttesla
Link:
https://app.any.run/tasks/210eb778-96c3-4c56-9e30-ab21cc0a82a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/456529/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop24.6316.9599.4272.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cryptojoker packed
Link:
https://www.filescan.io/uploads/653a58bfb38131f117a89bd0/reports/fab1167e-455b-4e4f-9c28-06aad6c408eb/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a41ca09-7b11-46d8-9d50-eab36711faba
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332656
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332656 Sample: PO#303229.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 39 mail.elysees-hotel.com 2->39 41 elysees-hotel.com 2->41 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->59 61 12 other signatures 2->61 9 PO#303229.exe 6 2->9         started        13 QscqeamSki.exe 5 2->13         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\QscqeamSki.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\...\tmpBF14.tmp, XML 9->37 dropped 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 9->65 67 Writes to foreign memory regions 9->67 15 MSBuild.exe 2 9->15         started        19 schtasks.exe 1 9->19         started        69 Multi AV Scanner detection for dropped file 13->69 71 Machine Learning detection for dropped file 13->71 73 Injects a PE file into a foreign processes 13->73 21 MSBuild.exe 2 13->21         started        23 svchost.exe 13->23         started        25 schtasks.exe 1 13->25         started        signatures6 process7 dnsIp8 43 elysees-hotel.com 94.130.217.179, 49705, 49708, 587 HETZNER-ASDE Germany 15->43 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->45 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->47 49 Tries to steal Mail credentials (via file / registry access) 15->49 27 conhost.exe 19->27         started        51 Tries to harvest and steal browser information (history, passwords, etc) 21->51 53 Changes security center settings (notifications, updates, antivirus, firewall) 23->53 29 MpCmdRun.exe 23->29         started        31 conhost.exe 25->31         started        signatures9 process10 process11 33 conhost.exe 29->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 17:41:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
47
AV detection:
19 of 37 (51.35%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sntvl2bspqtyyol6i4alydkioeqxwndeku65nky6usltmudx6x3a._file
Verdict:
malicious
Similar samples:
141a5b247877921ff5e4b58b0aeaa36e6e4de38d87599ee6956308e2b70589a5
AgentTesla
4114485fdfbe256596299210254db82ebe399c7bcee81127b6e5a9b098f2f5d8
AgentTesla
69f1ba8f7b8dbb60f8049ca7b2c8730bf921efe454dcb52651f5210cebfa37d3
AgentTesla
9acb3802e7f15ac9c240749ff8c3ebe7a7cd660bedf4b6a6a1edef4de714aa43
AgentTesla
c6efcafa1919f03c1c4039960fe44a4c92c93e53ec8497c7e192f002470aec30
AgentTesla
cc546a73f7baa2fa41b789d6e5e3ca8c6abf3a574f9ef5ef0d186675f437da19
AgentTesla
cfadc51764727f6575af7a0c5ca579c99bc062ce94d67dbb844f4a44bd1d1711
AgentTesla
ea652ce006bdff45184664a2c691ca5c6256fc1a686dfa8721cf5a9d2e1f4593
AgentTesla
+ 820 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/231026-pf13hsdc72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
AgentTesla
Unpacked files
SH256 hash:
0b4c93addb0071e4cc368bc5e46a535e2eafd360b5db8b6c87620d7225eade2d
MD5 hash:
e17d9bb18c1bf12de8c75fa570f4cf72
SHA1 hash:
97751a31524557387d136e0e42e204186d00b5dd
Link:
https://www.unpac.me/results/a3fe40f3-882a-4cf7-aef4-10488b562538/
SH256 hash:
4f7ffbfc8bcbd5cbe143318649cbd1c212b3255c74cb5e2c4e747fc820ff094f
MD5 hash:
a8e8c3293d5799f1435b80ba598f3d2f
SHA1 hash:
6b43be3c9863b8a9bbd4bdaf79703c57c62f98b8
Detections:
AgentTesla
Create hunting rule
win_agent_tesla_g2
Create hunting rule
Link:
https://www.unpac.me/results/a3fe40f3-882a-4cf7-aef4-10488b562538/
SH256 hash:
ee3aed3285d6ea7428d79290baf77f719e6581fb8f08efabd0b4b6a25e098642
MD5 hash:
77234c9fb82a2acfd71b18ec7dacff30
SHA1 hash:
5fe0fe24f8cbdb965cc2bdea7437a7efb6779069
Link:
https://www.unpac.me/results/a3fe40f3-882a-4cf7-aef4-10488b562538/
SH256 hash:
936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6
MD5 hash:
0b30d3b31544e8ffa779c845761c58a2
SHA1 hash:
8f1a751391adaf66818a2fecb088358687914de2
Link:
https://www.unpac.me/results/a3fe40f3-882a-4cf7-aef4-10488b562538/
Malware family:
AgentTesla
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/936755e8327c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9359840b19ae4170ff4a9c6681b94adb3db7bee44468f5dd13d8b6dd4e22ae61

AgentTesla

Executable exe 936755e8327c278c397e4700bc0d4871217b3464553dd6ab1ea497365077f5f6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 9359840b19ae4170ff4a9c6681b94adb3db7bee44468f5dd13d8b6dd4e22ae61
Cape
Cape
https://www.capesandbox.com/analysis/456529/

Comments